Is it Time to Trust the Cloud? Unpacking the Notorious Nine Jonathan C. Trull, CISO, Qualys Cloud Security Alliance
Agenda Cloud Security Model Background on the Notorious Nine Unpacking the Notorious Nine Summary Is it time to trust the cloud? 2
Introduction Jonathan C. Trull CISO for Qualys a pioneer and leading provider of cloud security and compliance solutions. Formerly the CISO for the State of Colorado, the first state in the country to adopt a Cloud First strategy. Lieutenant Commander in the U.S. Navy Reserve focused on computer network attack and defense.
Cloud Security / Privacy in Popular Media
You manage You manage You manage Cloud Services Models On Premise IaaS PaaS SaaS Managed by vendor Managed by vendor Managed by vendor
You manage On-Premise Model All resources managed by the end-user organization. Everything is private and controlled.
You manage You manage IaaS On Premise IaaS Virtual infrastructure Managed by vendor Virtual desktop Backup and recovery Managed cloud security
You manage You manage You manage PaaS On Premise IaaS PaaS Managed by vendor Managed by vendor
You manage You manage You manage SaaS On Premise IaaS PaaS SaaS Managed by vendor Managed by vendor Managed by vendor
Who owns which controls? Cloud Services Provider SaaS PaaS IaaS On Premise Customer
The Notorious Nine Purpose: To provide organizations with an up-to-date, expertinformed understanding of cloud security threats in order to make educated risk-management decisions regarding cloud adoption strategies. Methodology: CSA conducted a survey of industry experts to compile professional opinion on the greatest vulnerabilities within cloud computing. The CSA Top Threats working group used these survey results alongside their expertise to craft the final 2013 report.
What is a threat? According to NIST, a threat is any circumstance or event with the potential to adversely impact organizations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. Threat events are caused by threat sources. For threat sources, think adversarial tactics, techniques, and procedures (TTPs) or human errors of commission or commission, structural failures of organization-controlled resources, natural and man-made disasters, accidents and failures beyond the control of the organization.
Threats vs. Vulnerabilities
1. Breaches 2. Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues Meet the Notorious Nine
Threat # 1: Breaches A security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
Threat # 2: Loss An error condition in information systems in which information is destroyed by failures or neglect in storage, transmission, or processing.
Threat # 3: Account or Service Traffic Hijacking A process through which an individual s email account, computer account, or any other account associated with a computing device is intentionally stolen or hijacked for nefarious purposes.
Threat # 4: Insecure Interfaces and APIs Application programming interfaces that contain vulnerabilities or weaknesses that allow sensitive data and/or services to be exploited by unauthorized parties.
Threat # 5: Denial of Service An interruption in an authorized user s access to a computer network or service, typically caused by malicious intent.
Threat # 6: Malicious Insiders A current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.
Threat # 7: Abuse of Cloud Services Use of legitimate cloud computing resources for evil.
Threat # 8: Insufficient Due Diligence Adoption of cloud computing services without fully understanding the risks of such a deployment or without performing sufficient third party validation of cloud servicer providers security and privacy controls.
Threat # 9: Shared Technology Vulnerabilities Vulnerabilities in key technologies that make cloud computing possible e.g., hypervisors.
Is it time to trust the cloud? Technically, cloud computing is not better or worse than traditional computing, just different Likelihood of some risks goes up while others go down Cloud computing not responsible for the majority of actual data breaches occurring across the globe. ----- As such, we are often asked whether the Cloud factors into many of the breaches we investigate. The easy answer is No-not really. (Source: Verizon Breach Report)
Thank You jtrull@qualys.com